Win32/RussoTuristo [Threat Name] go to Threat
Win32/RussoTuristo [Threat Variant Name]
Category | worm |
Size | 53326 B |
Aliases | Worm.Win32.RussoTuristo.f (Kaspersky) |
Worm:Win32/RussoTuristo.A (Microsoft) | |
W32.SillyDC (Symantec) | |
Win32:RussoTuristo-C (Avast) |
Short description
Win32/RussoTuristo is a worm that spreads via removable media. The file is run-time compressed using UPX .
Installation
When executed the worm copies itself in the following locations:
- %windows%\Cursors\services.exe
- %systemdrive%\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\CD Burning\Новая папка.exe
- %systemdrive%\Documents and Settings\%username%\Мои документы\Новая папка.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Local Service" = "%windows%\Cursors\services.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoFolderOptions" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 0
- "ShowSuperHidden" = 0
- "HideFileExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 1
- "DisableCMD" = 0
Spreading
The worm copies itself into the root folders of fixed and/or removable drives using the following name:
- Новая папка.exe
The worm also copies itself into existing subfolders.
The name of the file may be based on the name of an existing file or folder.
Other information
The worm restarts the operating system if there is a window with any of the following strings in the name:
- Настройка системы
- Порно
- Редактор реестра
- Результаты поиска
If the current system date and time matches certain conditions, the worm attempts to delete all files and folders stored on the available drives.